-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Report

Original Date of Vendor Notification:  April 19, 2011 15:15 (GMT - 4:00)

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Webform module
(http://drupal.org/project/webform) "adds a webform node type to your
Drupal site."  The Drupal webform module is the 13th most popular third
party contributed module in the Drupal project, installed on more than
116,000 sites.  The module contains multiple cross site scripting (XSS)
vulnerabilities due to the fact that it fails to sanitize user supplied
input before display.  The module also fails to restrict file uploads to
the Drupal installation directory.

Systems affected:
- -----------------
Drupal 6.20 with Webform 6.x-2.10, Drupal 7.0 with Webform 7.x-3.9 and
Drupal 5.23 with Webform 5.x-2.10 were all tested and shown to be
vulnerable.

Impact
- ------
In specific scenarios unauthenticated users could inject arbitrary
scripts into pages affecting site administrative users.  This could
result in administrative account compromise leading to web server
process compromise.  Another likely scenario would be for an attacker to
inject hidden content (such as iframes, applets, or embedded objects)
that would attack client browsers in an attempt to compromise site
users' machines.  This vulnerability could also be used to launch cross
site request forgery (XSRF) attacks against the site that could have
other unexpected consequences.

Attackers could also use file uploads in webforms to write arbitrary
files to the filesystem as the web server.

Mitigating factors:
- -------------------
In order to exploit the form name upload XSS vulnerability users must be
able to submit webforms with file components, including unauthenticated
users.

In order to exploit form configuration vulnerabilities (using component
names) the attacker must have credentials to an authorized account that
has been assigned the permissions to create and/or edit a webform.  This
could be accomplished via social engineering, brute force password
guessing, or abuse or legitimate credentials.

File uploads are restricted by type based on extension and can only be
written in locations to which the file server has permissions.

Proof of Concept:
- -----------------
1.  Install Drupal and Webform module
2.  Create a new webform at ?q=node/add/webform, using arbitrary values
3.  Edit the form components at ?q=node/X/edit/components where 'X' is
the node id
4.  Type an aritrary name for a new form component and select 'file' as
the type then click 'Add'
5.  In the resulting screen enter
"../../../../../../../../../../../../tmp" in the 'Upload Directory'
6.  Click submit
7.  View the form at ?q=node/X
8.  Select a file using the 'Browse' button then submit the form
9.  Viewing the filesystem the uploaded file can be found in the /tmp
directory

1.  Install Drupal and Webform module
2.  Create a new webform at ?q=node/add/webform, using arbitrary values
3.  Edit the form components at ?q=node/X/edit/components where 'X' is
the node id
4.  Type an aritrary name for a new form component and select 'file' as
the type then click 'Add'
5.  Enter arbitrary values for the file component definitions
6.  View the form at ?q=node/X
8.  Select a file named "<iframe src='index.php'
onLoad='javascript:alert("xss");'>.jpg" using the 'Browse' button then
submit the form
9.  View the results at ?q=node/X/webform-results and click the 'View'
link under 'Operations' for the just submitted form
10.  The iframe and associated javascrip are rendered at
?q=node/X/submission/Y where X is the nid and Y is the submission id

1.  Install Drupal and Webform module
2.  Create a new webform at ?q=node/add/webform, using arbitrary values
3.  Edit the form components at ?q=node/X/edit/components where 'X' is
the node id
4.  Create a new component named '<script>alert("xss");</script>' of any
type and click the 'Add' button
5.  Fill out and submit the form at ?q=node/X where X is the nid
6.  View the 'Analysis' of 'Results' at
?q=node/X/webform-results/analysis to view the rendered JavaScript
7.  View the 'Table' of 'Results' at ?q=node/X/webform-results/table to
view the XSS and file upload name XSS attack

Vendor Response:
- ----------------
No fix for Drupal 5 version.  Upgrade to latest version of Webform for
Drupal 6 and Drupal 7.  http://drupal.org/node/1161954

- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk3b77MACgkQkSlsbLsN1gD5+gb/f+j9GTNGtCZMQFoLWBfTvhXo
CblsVkV/A+qYzbpREXJyGDvomYmoS3YOJkvvHFvAll0hM2sfQNNpb0ATaUW9EaYx
ovDnhshu2uz2tcaTYjey5s+wI0V5vMbis8OBgNMI/qHjCN9SdxpZyCDGCvmro9+J
PCYq1SiXPZMlwh17EgXQH6wtNRTOWm3YUjWbcuxnU0KOMcyBM+LL6BQNJXqMIOoC
SaKiiqnUx8KR8asXdQIzO1mewHRAx4XTmAlmuaZegBpBYvODXcO1as4dkaEIie14
NW29UJKonIfkBMofqkk=
=D4Ao
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/